package com.boot.stu.config.security;

import com.boot.stu.util.Oauth2Util;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;

/**
 * @author cwt
 * @description 资源服务器
 */
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Autowired
    private CustomExceptionHandler customAuthExceptionHandler;

    /**
     * 资源授权校验异常反馈
     */
    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.stateless(false)
                .accessDeniedHandler(customAuthExceptionHandler)
                .authenticationEntryPoint(customAuthExceptionHandler);
    }

    /***
     * http的网页拦截
     * */
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                .and()
                //请求权限配置
                .authorizeRequests()
                //下边的路径放行,不需要经过认证
                .antMatchers("/oauth/*", "/auth/user/login").permitAll()
                //OPTIONS请求不需要鉴权
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                //用户的增删改接口只允许管理员访问
                .antMatchers(HttpMethod.POST, "/auth/user").hasAnyAuthority(Oauth2Util.ROLE_ADMIN)
                .antMatchers(HttpMethod.PUT, "/auth/user").hasAnyAuthority(Oauth2Util.ROLE_ADMIN)
                .antMatchers(HttpMethod.DELETE, "/auth/user").hasAnyAuthority(Oauth2Util.ROLE_ADMIN)
                //获取角色 权限列表接口只允许系统管理员及高级用户访问
                .antMatchers(HttpMethod.GET, "/auth/role").hasAnyAuthority(Oauth2Util.ROLE_ADMIN)
                //其余接口没有角色限制，但需要经过认证，只要携带token就可以放行
                .anyRequest()
                .authenticated();
    }
}